141edb306SCy Schubert#!/sbin/ipf -f - 241edb306SCy Schubert# 341edb306SCy Schubert# SAMPLE: PERMISSIVE FILTER RULES 441edb306SCy Schubert# 541edb306SCy Schubert# THIS EXAMPLE IS WRITTEN FOR IP FILTER 3.3 641edb306SCy Schubert# 741edb306SCy Schubert# ppp0 - (external) PPP connection to ISP, address a.b.c.d/32 841edb306SCy Schubert# 941edb306SCy Schubert# ed0 - (internal) network interface, address w.x.y.z/32 1041edb306SCy Schubert# 1141edb306SCy Schubert# This file contains the basic rules needed to construct a firewall for the 1241edb306SCy Schubert# above situation. 1341edb306SCy Schubert# 1441edb306SCy Schubert#------------------------------------------------------- 1541edb306SCy Schubert# *Nasty* packets we don't want to allow near us at all! 1641edb306SCy Schubert# short packets which are packets fragmented too short to be real. 1741edb306SCy Schubertblock in log quick all with short 1841edb306SCy Schubert#------------------------------------------------------- 1941edb306SCy Schubert# Group setup. 2041edb306SCy Schubert# ============ 2141edb306SCy Schubert# By default, block and log everything. This maybe too much logging 2241edb306SCy Schubert# (especially for ed0) and needs to be further refined. 2341edb306SCy Schubert# 2441edb306SCy Schubertblock in log on ppp0 all head 100 2541edb306SCy Schubertblock out log on ppp0 all head 150 2641edb306SCy Schubertblock in log on ed0 from w.x.y.z/24 to any head 200 2741edb306SCy Schubertblock out log on ed0 all head 250 2841edb306SCy Schubert#------------------------------------------------------- 2941edb306SCy Schubert# Invalid Internet packets. 3041edb306SCy Schubert# ========================= 3141edb306SCy Schubert# 3241edb306SCy Schubert# Deny reserved addresses. 3341edb306SCy Schubert# 3441edb306SCy Schubertblock in log quick from 10.0.0.0/8 to any group 100 3541edb306SCy Schubertblock in log quick from 192.168.0.0/16 to any group 100 3641edb306SCy Schubertblock in log quick from 172.16.0.0/12 to any group 100 3741edb306SCy Schubert# 3841edb306SCy Schubert# Prevent IP spoofing. 3941edb306SCy Schubert# 4041edb306SCy Schubertblock in log quick from a.b.c.d/24 to any group 100 4141edb306SCy Schubert# 4241edb306SCy Schubert#------------------------------------------------------- 4341edb306SCy Schubert# Localhost packets. 4441edb306SCy Schubert# ================== 4541edb306SCy Schubert# packets going in/out of network interfaces that aren't on the loopback 4641edb306SCy Schubert# interface should *NOT* exist. 4741edb306SCy Schubertblock in log quick from 127.0.0.0/8 to any group 100 4841edb306SCy Schubertblock in log quick from any to 127.0.0.0/8 group 100 4941edb306SCy Schubertblock in log quick from 127.0.0.0/8 to any group 200 5041edb306SCy Schubertblock in log quick from any to 127.0.0.0/8 group 200 5141edb306SCy Schubert# And of course, make sure the loopback allows packets to traverse it. 5241edb306SCy Schubertpass in quick on lo0 all 5341edb306SCy Schubertpass out quick on lo0 all 5441edb306SCy Schubert#------------------------------------------------------- 5541edb306SCy Schubert# Allow any communication between the inside network and the outside only. 5641edb306SCy Schubert# 5741edb306SCy Schubert# Allow all outgoing connections (SSH, TELNET, FTP, WWW, gopher, etc) 5841edb306SCy Schubert# 5941edb306SCy Schubertpass in log quick proto tcp all flags S/SA keep state group 200 6041edb306SCy Schubert# 6141edb306SCy Schubert# Support all UDP `connections' initiated from inside. 6241edb306SCy Schubert# 6341edb306SCy Schubert# Allow ping out 6441edb306SCy Schubert# 6541edb306SCy Schubertpass in log quick proto icmp all keep state group 200 6641edb306SCy Schubert#------------------------------------------------------- 6741edb306SCy Schubert# Log these: 6841edb306SCy Schubert# ========== 6941edb306SCy Schubert# * return RST packets for invalid SYN packets to help the other end close 7041edb306SCy Schubertblock return-rst in log proto tcp from any to any flags S/SA group 100 7141edb306SCy Schubert# * return ICMP error packets for invalid UDP packets 7241edb306SCy Schubertblock return-icmp(net-unr) in proto udp all group 100 73